Last Updated on June 26, 2026 by Narendra Sahoo
The world’s first binding AI regulation is moving into enforcement. This checklist covers every obligation your organisation must evidence — from AI system inventory and risk classification to Annex IV documentation, human oversight, and post-market monitoring.
|
2 Aug 2026
Article 50 transparency obligations go live
|
€35M / 7%
Max penalty for prohibited AI practices
|
4 Risk Tiers
Prohibited, High-Risk, Limited, Minimal
|
35.7%
Of managers who feel adequately prepared for EU AI Act
|
1️⃣ What Is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive binding AI regulation. It entered into force on 1 August 2024 and establishes a risk-based framework that classifies AI systems into four tiers — prohibited, high-risk, limited risk, and minimal risk — with escalating obligations and penalties up to €35 million or 7% of global annual turnover.
The Act applies to any organisation that builds, deploys, imports, or distributes AI systems that affect EU persons — regardless of where the organisation is headquartered. If your AI output reaches EU users, you are in scope. This includes organisations based in the US, UK, Singapore, India, and beyond.
An EU AI Act compliance checklist is a structured framework that helps organisations systematically identify, classify, and govern all AI systems within scope of the regulation. It covers AI system inventory, risk classification, conformity assessment requirements, technical documentation (Annex IV), human oversight obligations, GPAI model obligations, and post-market monitoring.
The organisations most exposed under the EU AI Act are not the ones using the most advanced AI. They are the ones unable to prove operational control. Regulators will not assess intentions. They will assess proof.
|
Is your AI system EU AI Act compliant? VISTA InfoSec’s CREST-approved consultants deliver practitioner-led AI governance assessments — built on operational audit experience, not theoretical templates. |
2️⃣ EU AI Act Enforcement Timeline
Understanding when each obligation becomes enforceable is the first step in any EU AI Act compliance programme. Enforcement is phased — missing a date does not mean missing everything, but it does mean accumulating regulatory risk.
3️⃣ Step 1 — AI System Inventory and Risk Classification
The first step in your EU AI Act compliance programme is correctly classifying your AI system. This determines market access, governance obligations, and potential penalties. A misclassification can significantly increase compliance requirements.
More than half of organisations have not established systematic inventories of the AI systems they operate — the minimum prerequisite for any compliance programme. You cannot classify what you cannot see.
👉 Sectors Most Commonly Misclassified as Lower Risk
An HR screening tool may appear to be limited risk but qualifies as Annex III high-risk because it affects employment decisions. Common misclassification areas:
| ✓ Healthcare — Clinical decision support, diagnostic AI, patient triage and prioritisation tools |
| ✓ HR and Recruitment — CV screening, candidate scoring, employee performance monitoring, work allocation tools |
| ✓ Financial Services — Credit scoring, insurance risk assessment, fraud detection affecting individual EU persons |
| ✓ Education Technology — Student assessment tools, adaptive learning systems, examination proctoring AI |
| ✓ Public Sector — Any AI affecting access to benefits, services, or critical infrastructure decisions |
| □ Compile a complete inventory of all AI systems in operation (internal and vendor-supplied) |
| □ Identify your legal role for each system: provider (built/placed on market) or deployer (uses it operationally) |
| □ Assign a documented risk classification (prohibited / high-risk / limited / minimal) with written rationale |
| □ Check all Annex III sectors for potential high-risk classification — do not assume lower risk |
| □ Verify no AI systems fall under Article 5 prohibited practices — if so, immediate action required |
| □ Schedule inventory review at least quarterly and whenever new AI tools are procured |
| Not sure how to classify your AI systems?
VISTA InfoSec conducts AI system inventories and delivers written risk classification rationale aligned to Annex III — ready for regulatory scrutiny. |
4️⃣ Step 2 — Provider vs Deployer Obligations
The EU AI Act structures obligations around your legal role — not your job title. Getting this wrong is one of the most common compliance gaps.
|
🛠 PROVIDER Develops or places an AI system on the EU market under your name or trademark — paid or free. Heaviest obligation set.
|
📋 DEPLOYER Uses a high-risk AI system in operations. Independent obligations under Article 26 — a vendor’s certification does not protect you.
|
Many organisations assume their vendor’s certification protects them. It does not. Under Article 26, deployers hold independent obligations separate from providers. Regulators can demand evidence of oversight, logging, governance, and lawful operational use regardless of vendor certification status. A conformity assessment proves the provider built the system correctly. It does not prove your organisation operates lawfully.
5️⃣ Step 3 — High-Risk AI System Compliance Checklist
For organisations operating Annex III high-risk AI systems, the following obligations must be evidenced. The hardest requirements are operational rather than paperwork-driven — much of the burden falls on ongoing risk controls, traceable audit trails, human review, security safeguards, and maintained technical records.
👉 3A — Risk Management System (Article 9)
| □ Establish a continuous, iterative risk management process covering the full AI system lifecycle |
| □ Identify and analyse known and reasonably foreseeable risks to health, safety, and fundamental rights |
| □ Estimate and evaluate identified risks with documented mitigation measures |
| □ Confirm residual risks are acceptable; establish feedback loops from deployment back into risk evaluation |
👉 3B — Data Governance and Logging (Articles 10 & 12)
| □ Implement data governance practices covering training, validation, and testing datasets |
| □ Ensure data is relevant, representative, accurate, and free from bias where technically feasible |
| □ Implement automatic logging capabilities to enable traceability of AI outputs |
| □ As deployer: retain operational logs for a minimum of 6 months (Article 26) |
👉 3C — Annex IV Technical Documentation (Article 11)
| □ Draw up Annex IV technical documentation before market placement — not after |
| □ Include: general description of the system, intended purpose, system architecture, design logic |
| □ Include: training methodologies, datasets used, validation and testing procedures, performance metrics |
| □ Include: known limitations, risks, and the measures taken to mitigate them |
| □ Maintain documentation throughout the system lifecycle — update for any substantial modification |
|
Need help building your Annex IV documentation? VISTA InfoSec builds EU AI Act technical documentation packages that are audit-ready from day one — covering risk management, data governance, human oversight, and conformity assessment evidence. |
👉 3D — Human Oversight (Article 14)
| □ Implement and document human oversight procedures for every high-risk AI system in operation |
| □ Assign designated oversight personnel before deployment — with documented competence, training, and authority |
| □ Ensure oversight personnel can understand AI outputs and intervene or override where necessary |
| □ Document the oversight mechanism in the technical file and operational procedures |
👉 3E — Accuracy, Robustness and Cybersecurity (Article 15)
| □ Define relevant accuracy metrics and test systems against identified risks throughout their lifecycle |
| □ Implement cybersecurity measures addressing AI-specific threats: data poisoning, model evasion, adversarial attacks |
| □ Specify accuracy levels in accompanying technical documentation |
| □ Assess confidentiality attacks and model flaws; document mitigation controls |
👉 3F — Fundamental Rights Impact Assessment — FRIA (Article 27)
| □ Conduct a FRIA before deploying high-risk AI systems affecting vulnerable groups or public services |
| □ Document the assessment and retain it as evidence — regulators can request it |
| □ Update the FRIA whenever the intended purpose or operating context materially changes |
6️⃣ Step 4 — General-Purpose AI (GPAI) Model Obligations
GPAI model obligations (Articles 51–55) have applied since 2 August 2025. These apply to foundation models and large language models placed on the EU market — including models like GPT, Claude, Gemini, Llama, and Mistral, and importantly to organisations that build applications using these models as a base.
| □ Maintain technical documentation for the EU AI Office covering model architecture and training procedures |
| □ Publish a sufficiently detailed summary of training content (training data transparency) |
| □ Implement copyright compliance policies respecting EU copyright law and rights reservations |
| □ Furnish technical information to downstream providers building on your model |
| □ For systemic-risk models (>10²⁵ FLOPs): conduct adversarial testing, report serious incidents to AI Office |
| □ Consider signing the GPAI Code of Practice for a presumption of conformity — voluntary but strongly recommended |
7️⃣ Step 5 — Transparency Obligations (Article 50) — Deadline: 2 Aug 2026
Article 50 transparency obligations apply to chatbots, AI-generated media, emotion recognition, and biometric categorisation systems — regardless of their risk classification. These become enforceable on 2 August 2026.
| □ Ensure all chatbots and conversational AI clearly disclose at the start of every interaction that users are communicating with an AI system |
| □ Apply machine-readable labelling to all AI-generated audio, image, video, and text content |
| □ Disclose the use of emotion recognition or biometric categorisation systems to affected persons |
| □ Implement AI literacy training for all staff involved in AI oversight or operation (Article 4 — already enforceable) |
| Article 50 enforcement starts 2 August 2026 — are your chatbots and AI outputs compliant?
VISTA InfoSec reviews your AI interfaces, labelling practices, and transparency disclosures against Article 50 requirements — before enforcement begins. |
8️⃣ Step 6 — Conformity Assessment and EU Database Registration
High-risk AI systems must undergo a conformity assessment and be registered in the EU’s public AI database before deployment. The conformity assessment proves the provider built the system correctly — but as noted, it does not discharge the deployer’s independent obligations.
| □ Complete internal conformity assessment (Annex VI) or third-party assessment (Annex VII) as required |
| □ Affix CE marking and draw up EU declaration of conformity before market placement |
| □ Register the high-risk AI system in the EU AI public database prior to deployment |
| □ Re-assess conformity following any substantial modification to the system |
9️⃣ Step 7 — Post-Market Monitoring and Incident Reporting
EU AI Act compliance is not a one-time project. Post-market monitoring (Article 72) and serious incident reporting (Article 73) mean that obligations continue throughout the operational life of the AI system. Organisations that treat compliance as a deployment checklist will fail.
| □ Implement a post-market monitoring system to actively collect, document, and analyse performance data throughout the AI lifecycle |
| □ Establish a process for reporting serious incidents and malfunctioning to national competent authorities |
| □ Implement corrective actions (Article 20) where post-market monitoring identifies risks or non-conformity |
| □ Feed post-market findings back into the risk management system — this loop is itself a compliance requirement |
10️⃣ SMEs and Startups — What the Proportionality Provisions Mean
The EU AI Act includes specific proportionality provisions for SMEs and startups under Article 55. Regulatory sandboxes and simplified conformity assessment pathways are available. However, proportionality does not mean exemption.
| ✓ SMEs are not exempt from high-risk AI obligations — proportionality applies to administrative burden, not to safety requirements |
| ✓ National competent authorities must provide SMEs with dedicated guidance, support, and sandbox access |
| ✓ Reduced fees apply to SMEs in certain conformity assessment procedures |
| ✓ SMEs with existing ISO 27001 or SOC 2 controls can significantly reduce compliance cost through control mapping — these frameworks address many overlapping obligations |
|
How exposed is your organisation to EU AI Act enforcement? VISTA InfoSec delivers a structured EU AI Act readiness assessment — covering AI inventory, classification, provider/deployer obligations, and documentation gaps — with a prioritised compliance roadmap.
|
Frequently Asked Questions
| VISTA InfoSec • CREST-Approved EU AI Act Consultants
Build Your EU AI Act Compliance Programme From AI system inventory and risk classification to Annex IV documentation and post-market monitoring — VISTA InfoSec’s certified practitioners guide you from readiness to evidence.
|
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.